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THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1 .136(a). In no event, however, may a reply be timely filed 
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earned patent term adjustment. See 37 CFR 1.704(b). 

Status 
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4) K Claim(s) 1-6,10-17 and 21-35 is/are pending in the application. 
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5) D Claim(s) is/are allowed. 
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Application Papers 
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Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1.85(a). 
Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 

11) D The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 
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* See the attached detailed Office action for a list of the certified copies not received. 



Attachment(s) 

1) ^ Notice of References Cited (PTO-892) 

2) Notice of Draftsperson's Patent Drawing Review (PTO-948) 

3) □ Information Disclosure Statement(s) (PTO-1449 or PTO/SB/08) 

Paper No(s)/Mail Date . 



4) □ Interview Summary (PTO-413) 

Paper No(s)/Mail Date. . 

5) □ Notice of Informal Patent Application (PTO-152) 

6) □ Other: . 



U.S. Patent and Trademark Office 
PTOL-326 (Rev. 1-04) 



Office Action Summary 



Part of Paper No./Mail Date 8 



Application/Control Number: 09/663,863 Page 2 

Art Unit: 2134 

DETAILED ACTION 

1 . This office action is in response to applicant's amendment filed on 
3/18/2004. Claims 1,12, 23-24 and 29 are amended. Claims 7-9, 18-20 are 
cancelled. Claims 1-6, 10-17 and 21-35 are pending. 



Response to Arguments 

2. In respect to Applicant's remark for claims 7-9, Applicant contends that 
Wiegel does not teach removal of duplicate rules in cited portion of Wiegel (col. 
13, lines 5-19). As Applicant point out that when duplicate rule is found, an error 
is given. However, the cited portion of Wiegel also stated that "as duplicates are 
not allowed (instead, if a rule for a flow needs to be changed the modify rule 
trigger has to be used )". Therefore, Wiegel does implicitly teach the claimed 
limitation because duplicate rules are to be modified (removed) since duplicate 
rules are not allowed. 

In response to Applicant's remark for claims 3 and 4, Applicant contends 
that Wiegel does not teach "the specific order in which policy rules are evaluated, 
namely "the policy rules denying the action are evaluated first, the policy rules 
conditionally denying the action are evaluated second, and the policy rules 
permiting the action are evaluated". Examiner respectfully disagrees. Wiegel 
teaches the deny list is evaluated before the accept list (col. 9, lines 29-33). 
Wiegel also teaches using "nested If <conditional> then... If... then... otherwise..." 
to evaluates complex condition (col. 18, lines 1-40). 
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Claim Rejections - 35 USC § 103 

3. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for 
all obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described 
as set forth in section 1 02 of this title, if the differences between the subject matter sought to 
be patented and the prior art are such that the subject matter as a whole would have been 
obvious at the time the invention was made to a person having ordinary skill in the art to which 
said subject matter pertains. Patentability shall not be negatived by the manner in which the 
invention was made. 

Claims 1-6, 10-17 and 21-23 and 34 are rejected under 35 U.S.C. 103(a) 
as being unpatentable over Wiegel (U.S. Patent No. 6,484,261) in view of Bal et 
al. (U.S. Patent No. 6,691,168, hereinafter Bal) and further in view of Abraham et 
al. (U.S. Patent No. 5,983,270). 

In respect to claim 1 , Wiegel discloses a method for providing network 
security features, comprising the steps of: 

(a) identifying a plurality of network objects, (b) retrieving rule sets- 
associated with at least one of the identified network objects, the rule sets 
including a plurality of policy rules that govern actions relating to the identified 
network objects (see Wiegel, col. 8, lines 12-26); 

Wiegel does not discloses but Bal discloses: 

(c) reconciling overlapping policy rules of the rule sets amongst the 
network objects; and (d) executing the reconciled rule sets (see col. 11, lines 15- 
30 and 45-53). It would have been obvious to one of ordinary skill in the art at 
the time the invention was made to incorporate the teaching of Wiegel's network 
security policy management with the teaching of Bal's method of high speed 
network rule processing that use different search strategies to handle different 
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situations between disjoint (no overlapped rules) and non-disjoint (overlapped 
rules) set of rules in order to speed up the search (see col. 11, lines 18-29). 

Furthermore, Weigel does not disclose but Abraham discloses wherein 
rule sets are combined into a single rule set, and duplicate policy rules set are 
removed; wherein a user is notified of conflicting policy rules of the rule sets (see 
col. 7, lines 50-58, col. 35, lines 36-60 and col. 43, lines 23-36). Therefore, it 
would have been obvious to one of ordinary skill in the art at the time the 
invention was made to incorporate the teaching of Weigel's with Abraham for 
processing the network objects according to different rule sets by combining 
rules to single rule set and removing duplicate rules and notifying user of 
conflicting rules for the benefit of optimizing the policies stored in the database 
(see Abraham, Abstract). 

In respect to claim 2, Wiegel, Bal and Abraham disclose the method as 
recited in claim 1 , wherein each policy rule of the reconciled rule sets includes a 
rule action selected from the group consisting of permitting an action relating to 
the identified network objects, denying an action relating to the identified network 
objects, and conditionally denying an action relating to the identified network 
objects (see Wiegel, col. 10, lines 1-15). 

In respect to claim 3, Wiegel, Bal and Abraham disclose the method as 
recited in claim 2. wherein an action relating to the identified network objects is 
permitted if no policy rules deny the action, at least one policy rule conditionally 
denies the action, and at least one policy rule permits the action (see Wiegel, col. 
18, lines 1-40). 
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In respect to claim 4, Wiegel, Bal and Abraham disclose the method as 
recited in claim 2, wherein the policy rules denying the action are evaluated first, 
the policy rules conditionally denying the action are evaluated second, and the 
policy rules permitting the action are evaluated third (see Wiegel, col. 9, lines 25- 
34 and col. 18, lines 1-40). 

In respect to claim 5, Wiegel, Bal and Abraham disclose the method as 
recited in claim 1 , wherein an action relating to the identified network objects is 
denied if none of the policy rules permit the action (see Wiegel, col. 9, lines 25- 
30). 

In respect to claim 6, Wiegel, Bal and Abraham disclose the method as 
recited in claim 1 , wherein an action relating to the identified network objects is 
denied if none of the policy rules match a request for the action (see Wiegel, col. 
9, lines 26-30). 

In respect to claim 10, Wiegel, Bal and Abraham disclose the method as 
recited in claim 1 wherein the rule sets are associated with a particular network 
object (see Wiegel, col. 8, lines 12-26). 

In respect to claim 1 1 , Wiegel, Bal and Abraham disclose the method as 
recited in claim 1 , wherein a protocol configuration enforced by a related proxy is 
selected from a hierarchal list if an action is permitted by more than one rule (see 
col. 3, line 59-col. 4, line 6 and col. 10, lines 1-15). 

In respect to claims 12-17 and 21-22, the claim limitations are computer 
program product claims that are substantially similar to method claims 1-6 and 
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10-11. Therefore, claims 12-17 and 21-22 are rejected based on the similar 
rationale. 

In respect to claim 23, the claim limitation is a system claim that is 
substantially similar to method claim 1. Therefore, claim 23 is rejected based on 
the similar rationale. 

In respect to claim 34, Wiegel, Bal and Abraham disclose the method as 
recited in claim 1 , wherein a graphical user interface is provided for providing an 
option to a user to apply both an AND operation and an OR operation to selected 
network objects (see Wiegel, col. 16, lines 25-34 and col. 18, lines 1-10). 

4. Claims 24-33 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Wiegel (U.S. Patent No. 6,484,261) in view of Abraham et al. (U.S. Patent 
No. 5,983,270). 

In respect to claim 24, Wiegel discloses a method for establishing network 
security, comprising the steps of: 

(a) providing a plurality of network objects of a network and a plurality of 
rule sets; (b) associating the network objects with the rule sets; (c) when the rule 
sets include a plurality of policy rules that govern actions relating to the identified 
network objects during operation of the network (see col. 1 , lines 44-61 and 8, 
lines 12-26). 

Weigel does not disclose but Abraham discloses wherein rule sets are 
combined into a single rule set (see col. 7 t lines 50-58), and duplicate policy rules 
set are removed; wherein a user is notified of conflicting policy rules of the rule 
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sets (see col. 7, lines 50-58, col. 35, lines 36-60 and col. 43, lines 23-36). 
Therefore, it would have been obvious to one of ordinary skill in the art at the 
time the invention was made to incorporate the teaching of Weigel's with 
Abraham for processing the network objects according to different rule sets by 
combining rules to single rule set and removing duplicate rules and notifying user 
of conflicting rules for the benefit of optimizing the policies stored in the database 
(see Abraham, Abstract). 

In respect to claim 25, Wiegel discloses the method as recited in claim 24, 
wherein a user is allowed to associate the network objects with the rule sets via a 
graphical user interface (see col. 1, lines 10-15). 

In respect to claim 26, Wiegel discloses the method as recited in claim 24, 
wherein each policy rule of the reconciled rule sets includes a rule action 
selected from the group consisting of: 

permitting an action relating to the identified network objects, denying an 
action relating to the identified network objects, and conditionally denying an 
action relating to the identified network objects (see, col. 1, lines 1-15). 

In respect to claim 27, Wiegel discloses the method as recited in claim 26, 
wherein an action relating to the identified network objects is permitted if no 
policy rules deny the action, at least one policy rule conditionally denies the 
action, and at least one policy rule permits the action (see col. 18, lines 1-40). 

In respect to claim 28, Wiegel discloses the method as recited in claim 24, 
wherein an action relating to the identified network objects is denied if none of 
the policy rules permit the action (see col. 9, lines 25-30). 
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In respect to claims 29-33, the claim limitations are computer program 
product claims that are substantially similar to method claims 24-28. Therefore, 
claims 29-33 are rejected based on the similar rationale. 



Allowable Subject Matter 

5. Claim 35 is objected to as being dependent upon a rejected base claim, 
but would be allowable if rewritten in independent form including all of the 
limitations of the base claim and any intervening claims. 



Conclusion 

6. Applicant's amendment necessitated the new ground(s) of rejection 
presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. 
See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as 
set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire 
THREE MONTHS from the mailing date of this action. In the event a first reply is 
filed within TWO MONTHS of the mailing date of this final action and the advisory 
action is not mailed until after the end of the THREE-MONTH shortened statutory 
period, then the shortened statutory period will expire on the date the advisory 
action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be 
calculated from the mailing date of the advisory action. In no event, however, will 
the statutory period for reply expire later than SIX MONTHS from the date of this 
final action. 
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* Art Unit: 2134 

Any inquiry concerning this communication or earlier communications from 
the examiner should be directed to Tongoc Tran whose telephone number is 
(703) 305-7690. The examiner can normally be reached on 8:30-5:00 M-F. 

If attempts to reach the examiner by telephone are unsuccessful, the 
examiner's supervisor, Gregory A. Morse can be reached on (703) 308-4789. 
The fax phone number for the organization where this application or proceeding 
is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from 
the Patent Application Information Retrieval (PAIR) system. Status information 
for published applications may be obtained from either Private PAIR or Public 
PAIR. Status information for unpublished applications is available through 
Private PAIR only. For more information about the PAIR system, see http://pair- 
direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll- 
free). 
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